Ms cLovnrLare 
Impact Report 


We are proud to share our 2022 Cloudflare 
Impact Report. It is a collection of our work over 
the past year to advance our mission to help 
build a better Internet, and contribute to global 
initiatives like the UN Global Compact. 


In the early days of Cloudflare, we made it a policy that every new hire had 
to interview with either of us. It’s still the case today, though now that we 
have more than 3,000 employees, we have had to enlist a few more senior 
executives to help. 


At first, these calls were about helping screen for new members of our small 
team. As Cloudflare grew, the primary purpose changed to making sure that 
everyone joining had a positive conversation with a senior member of our 
team, so if in the future they ever see something wrong they'll hopefully feel 
a bit more comfortable letting us know. 


But, there’s also another purpose. We get to hear firsthand why people 
chose to apply. That’s a barometer for what we're doing right, evaluated by 
someone with a perspective outside the organization. And, nearly every 
day, we hear some version of the same thing: the most consistent reason 
new employees want to join Cloudflare is because of our mission and the 
breadth of our impact. 


Our team wants the work they do to have a real, positive impact for the 
millions of users of our services and the billions of Internet users our 
decisions affect downstream. 


As we release this year’s report, although we certainly see a number of 


challenges for the Internet and our stakeholders, we remain optimistic that 
the opportunities continue to far outweigh those challenges. 


Cloudflare Impact Report 2022 


+ We have been inspired by the resolve and resilience of the Ukrainian people 
and the global community’s support for the people of Ukraine amid the Russian 
invasion. Given the critical role the Internet plays in times of conflict, we were 
proud to join a disparate group of people and companies, working together 
to help maintain Ukrainians’ access to the Internet and defend Ukraine from 
persistent cyber attacks. 


a 


We celebrated the 8th anniversary of Project Galileo, describing our support 
for groups that unite underprivileged girls in India, the LGBTQIA+ community 
in the Nile valley, and refugees needing healthcare services. In total, Project 
Galileo provides Cloudflare’s services for free to more than 2,150 journalists, 
humanitarian groups, and human rights organizations in 100+ countries. 


We continue to make strides in improving the way Cloudflare focuses on our 
own impact through emissions, recycling, and waste, as well as applying those 
same lessons to our products and operations to make sure that we are being 
responsible stewards of the Earth’s resources. 


. 


We also keep working to ensure that everyone — not just large companies with 
big budgets — benefits from a more secure and reliable Internet. Specifically, 
this year we focused on helping groups such as local governments and critical 
infrastructure adopt new Zero Trust tools that are increasingly imperative for all 
organizations. 


We take pride in the principles that lie at the core of what we do as a company, 
and we are energized by the Internet’s ongoing promise to make life better for 
billions of people. 
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UN Global Compact @ Cloudflare 


As a Signatory to the UN Global Compact, 
we are continually working toward the 
UN Ten Principles and the Sustainable 
Development Goals (SDGs), with annual 
tracking of our progress. 


We are joined by thousands of other companies in these shared values, 
and we see this commitment as a way to focus our efforts for helping the 


global Internet community. 
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In 2022, Cloudflare identified the following SDGs as most relevant to our 
mission to help build a better Internet. 


AE Ea SUSTAINABLE 
BSAEE DEVELOPMENT 


This report, which serves as our Communication on Progress, highlights \ 

. 7 f , Sa Oa 
ways in which we are fostering community, assisting underserved = a 
populations, and doing our part to move humanity forward. See the % Y 
Appendix for more details. as 
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Impact @ Cloudflare 


Cloudflare Impact encompasses our 
programs that help Cloudflare and 
the Internet do good in the world, 
including our environmental, social, 
and governance initiatives. 


Most Loved Workplaces 
Cloudflare was named to 
Newsweek’s 100 Most Loved 


Workplaces 2022, ranking at #55. 


Newsweek and BPI surveyed 
more than a million employees of 
hundreds of companies, asking 
about job satisfaction, emotional 
connection, collaboration, and 
many other factors. 


Webby Award 

In 2022, Project Fair Shot received 

a Webby Award in the category of 
People’s Voice Winner. Project Fair 
Shot provides our Waiting Room tool 
for free to organizations distributing 
the Covid-19 vaccine to help 
registration websites stay online. 


$35.2M 


in donated products since 2017 


E BEST 


“| PLACES TO WORK 


2022 for LGBTQ+ Equality 
100% CORPORATE EQUALITY INDEX 


Best Place to Work for LGBTQ Equality 
Cloudflare received a perfect score of 


100% on the Corporate Equality Index 
from the Human Rights Campaign. 
This benchmarking tool assesses the 
inclusivity of policies, practices, and 
benefits for LGBTQIA+ employees. 


2,524 


Internet properties protected under 
Cloudflare Impact programs 


PLEDGE 


PROUD MEMBER 


Pledge 1% 

As part of our commitment to 
Pledge 1%, Cloudflare has pledged 
1% of our time and products to give 
back to our communities. 
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2022 spotlight: 
Cloudflare assistance to Ukraine 


Since the Russian invasion, Cloudflare has 
protected Ukrainian government institutions, 
civil society organizations, and citizens from 
cyber attack at no cost. We have provided 
updates on the status of the Internet inside 
Ukraine, making sure valuable information 
gets out to the world. 


Free services for Ukrainian government and infrastructure 

On February 24, 2022, when Russia invaded Ukraine, Cloudflare moved quickly 
to offer free services and support to a wide variety of Ukrainian government 
and infrastructure providers. In addition to protecting the .ua top-level domain, 
we currently protect approximately 130 Ukrainian domains in this program, run 
by more than 50 different Ukrainian government agencies and companies. 


Free services for Ukrainian nonprofits 

We've also provided free assistance to nonprofit groups that are helping 
refugees, documenting war crimes, sharing information, and providing local 
services — these groups are simultaneously contending with cyber attacks. 
Overall, we protect 79 organizations in Ukraine, which includes 54 onboarded 
since the beginning of the invasion. 


Cyber attacks on Ukrainian infrastructure 

Since February, Ukrainian government and civilian infrastructure have come 
under a barrage of DDoS and other common cyber attacks. Ukrainian websites 
saw a significant spike in application layer firewall mitigated attacks in March 
2022 and another spike in mid-September. Ukrainian sites have also seen 

a significant increase in the percentage of requests that were mitigated as 
attack traffic on a daily average, when compared with Q4 2021. Cloudflare was 
proud to play a role in ensuring that these types of widespread DDoS and other 
cyber attacks did not disrupt the Ukrainian Internet. 


Ukraine Traffic and Firewall Mitigated - Percentage change 
(based on Billing Country) 


Note: our Firewall blocks malicious HTTP requests: e.g. L7 DDoS requests, 
hacking attempts, vulnerability scanning, brute force login attempts 


“I want to mention Cloudflare because they reached 
out to us proactively and offered help. We took 
their help and we relied on them immensely 
and | really want to express my gratitude to the 
leadership and the team there.” 


— Dmitry Kohmanyuk, .ua TLD strategist 
in Heise Online interview, 3/24/22 
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2022 spotlight: 
Birthday Week 


At Cloudflare, we celebrate our birthday by 
giving gifts back to the Internet — 

by offering tools and resources that improve 
the fundamentals of how the Internet works. 
This year, we turned 12 and celebrated with 
36 announcements, including: 


Unmetered rate limiting 

Rate Limiting, a tool that helps defend against bots and a variety of attacks, 
is now available to all customers, including on the Free plan, without extra 
charges. 


Magic Network Monitoring 

With this free and powerful analytics dashboard, users can gain visibility 
into their networks and filter traffic data by protocol, source IP, destination 
IP, TCP flags, and router IP. This visibility is an important step toward 
improving security. 


Turnstile, a free CAPTCHA alternative 

With our open beta of Turnstile, any website owner can confirm visitors 

are real people without relying on CAPTCHA. Using the API does not require 
a Cloudflare account or sending traffic through our network. 


workerd 

The JavaScript/Wasm runtime based on the same code that powers 
Cloudflare Workers is now open source. workerd makes it possible for 
developers to self-host applications, conduct local testing, and serve 
as a proxy for applications. 


Workers Launchpad 

We partnered with venture capital firms to create a $1.25B Workers 
Launchpad funding program that has since grown to $2B. The program 
helps startups running on Cloudflare Workers launch their ideas, scale 
their businesses, and get products to market faster. The first cohort was 
announced in November 2022. 


To see more details about Birthday Week, check out 
cloudflare.com/birthday-week. 
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2022 spotlight: 
Birthday Week 
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Highlights from past birthday weeks 
+ 
Email Security 
Unmetered DDoS WARP i 
Expansion Protection Available DNS wizard 
Free to Pa to All Cloudflare Email 
Automatic Routing 
IPv6 Free, Privacy-First 
Analytics 
Dedicated SSL The Bandwidth 
Universal SSL Certificates Alliance Cloudflare Radar 
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A better Internet 
is principled. 


Helping build a better Internet is a bold objective, and 

it encompasses initiatives to protect vulnerable voices, 
promote trust in democracy, relentlessly improve privacy 
measures, encourage ethical behavior, respect human rights, 
and many other goals. 
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Project Galileo 


Project Galileo helps keep vulnerable sites 
online, with free cyber security services 

for groups working in the arts, human rights, 
civil society, journalism, or democracy. 


Onboarding portal for participants 

To celebrate Project Galileo’s eighth anniversary in 2022, we unveiled 
the Cloudflare Social Impact Projects Portal, which aims to help Project 
Galileo and Athenian Project participants adopt security best practices 
and learn how to get the most out of their free services. 


New partners 

We partner with dozens of independent journalism, public interest, and 
civil society organizations to identify websites eligible for the project. This 
year, our new additions to our partnership network included International 
Media Support, CyberPeace Institute, and Digital Defense Fund. 


Learn more at cloudflare.com/galileo and check out case studies of some 
of our participants at cloudflare.com/project-galileo-case-studies. 


2014 


year started. 


2,150 


participants in 100+ countries. 


3/.9M 


cyber threats per day on average.* 


$4.2M 


in services donated in 2022. 


*Based on data from Cloudflare Radar from July 1, 2021, to May 5, 2022. 
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Athenian Project 


Through the Athenian Project, Cloudflare 


provides its highest level of security services 


to US state and local government websites 
that host information on voting and polling 
places, voter data, and the reporting of 
election results. 


Ensuring that election information is consistently and reliably available 
helps promote trust in the voting process. In preparation for the 2022 US 
midterms, Cloudflare stepped up efforts to onboard new domains, help 
Athenian Project participants improve their security, and troubleshoot 
problems. We also assembled an internal, cross-functional team 

of experts to provide rapid response to any attacks or requests for 
assistance on Election Day. 


From October 1 through November 8, 2022, government election sites 
protected by the Athenian Project experienced an average of 16,170,728 


threats per day. Fortunately, we did not identify any large-scale attacks on 


Election Day. 


As part of the Joint Cyber Defense Collaborative, Cloudflare worked 
with the US Department of Homeland Security’s Cybersecurity and 
Infrastructure Security Agency (CISA) to provide security briefings to 
state and local election officials preparing for the election, including 
webinars, security recommendations, and best practices. 


$5.9M 


in services donated in 2022. 


366 


state and local government 
domains in 31 US states receive 
free Cloudflare services through 
the Athenian Project. 


Cloudflare for Campaigns 


In 2020, we launched Cloudflare 
for Campaigns, a suite of products 
focused on the needs of political 
campaigns, particularly smaller 
campaigns that don’t have the 
ability to bring significant cyber 
security resources in-house. 


In partnership with Defending 
Digital Campaigns, we protected 
56 House campaigns, 15 political 
parties, and 34 Senate campaigns 
during the 2022 US midterm 
elections. From October 1 through 
November 8, 2022, campaign 

and party sites protected under 
this program faced an average of 
149,949 threats per day. 
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Bringing Zero Trust to Project Galileo 
and the Athenian Project 


At Cloudflare we believe that limited budgets To further support Project Galileo and Athenian Project participants, we are 
j . : now adding Zero Trust protections to these programs. Website administrators 
should not get in the way of groups doing will have a wide variety of tools to: 


important and necessary work in the world — 


Block phishing and business email compromise attacks 


efforts such as administering elections, 
reporting on corruption, assisting refugees, 


Insulate employees from untrusted web content 


supporting LGBTQ youth, advancing women’s eN R EEE Sa ares 


rights, and protecting free speech. Secure sensitive data in transit and tools for workplace collaboration 


Learn about the major components of Zero Trust architecture at 


The battle to stay online 
zerotrustroadmap.org. 


State and local election websites, which we protect under the Athenian 
Project, and at-risk public interest groups, which are eligible for Project 
Galileo, are frequently targeted by groups that seek to take them offline 
or compromise their data. 


Zero Trust protection for Project Galileo and Athenian Project participants P 
The shift to remote work has further complicated all organizations’ abilities 
to defend against attacks, protect data, and maintain visibility and security 
controls over how users move and store data across cloud environments. BX 
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Incorporating Zero Trust protection 


To better understand how Zero Trust tools can be useful for Project Galileo 
and Athenian Project participants, learn about the experiences of some of our 
early adopters and what they’re finding valuable thus far. 


Information Technology 
Disaster Resource Center 
ITDRC, a Project Galileo 
participant, is a nonprofit 
composed of thousands of 
service-oriented technical 
professionals and private sector 
partners that assist in disaster 
response operations in the United 
States. A key part of their mission 
is to leverage technology to 
connect survivors and responders 
amid crises. 


According to co-founder Chris 
Hillis, “Cloudflare Zero Trust 

is essential to securing our 
employees, volunteers, and 
disaster survivors on site and in the 
field. Cloudflare delivers secure, 
reliable, and fast connectivity 

to the Internet and critical 
applications that our teams need 
to respond to disasters effectively. 


” 


Cloudflare Impact Report 2022 


Rowan County, North Carolina 
Randy Cress, CIO for Rowan County, 
worked with Cloudflare via the 
Athenian Project to accomplish 

his goal of shielding county 
employees from phishing attacks 
and automatically blocking malicious 
threats. Randy notes, “Our team was 
able to fully onboard prior to the 
official onboarding call in less than 
30 minutes with Cloudflare. 

We were able to focus on features 
and specifics of the product offering 
in lieu of time spent in configuration 
mode and troubleshooting.” 


During the 2022 midterm elections, 
Cloudflare Zero Trust tools helped 
the county fight off credential 
harvesting attempts via email — 
Randy calls Cloudflare the county’s 
“first line of defense.” 
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Defending against email attacks 
during the midterms 


Throughout election season, websites for 
voter registration and data aren’t the only ones 
subject to attack — campaign websites are 
also targeted. These attacks interfere with the 
democratic process and voters’ ability to make 
educated decisions. 


Threats to campaign inboxes 

Email was a notable threat vector during the 2022 midterms. Malicious actors 
use email to impersonate officials or steal credentials, data, or campaign 
funds. To help combat these risks, candidates protect their campaigns 

with Cloudflare Area 1 Email Security, a Zero Trust tool. It offers advanced 
protection by crawling the Internet and investigating phishing infrastructure 
to identify phishing campaigns in advance. 


Election season highlights 

Here are a few findings from the three months leading up to the election. 
These are made possible by our preemptive campaign discovery and machine 
learning algorithms. 


Cloudflare processed over 20 million emails for campaigns and stopped around 
150K phishing attacks. 


We saw more than 10,000 emails sent that were using the names of candidates 
without their permission. 


The office of one Senate incumbent received an average of 35 malicious emails 


every day. 


Detections 


TOTAL PHISH 


7,911 220 
p Previously: 6,492 


om - 
529.87k 7,710 
A 719% A 23.88% 


TOTAL EMAILS PROCESSED 


529,870 2:7 n 


Metrics from the campaign office of a US Senator 


37.36k 382.28k 114 87 
Y -17.97% A 19.75% Y -32.14% y -13% 
[P AAA PAA AA NARA 
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Engineering privacy into the Internet 


The Internet was not built with privacy in 
mind. Cloudflare is committed to helping build 
privacy-enhancing technologies into the basic 
architecture and functions of the Internet. 


Privacy Gateway 

Even with encryption, information about consumer IP addresses and the 
names of websites they visit leak from protocols not designed to preserve 
privacy. Cloudflare has worked to develop technologies to reduce the 
availability of that information and build a more privacy-preserving Internet. 
We've released several services for DNS and other communications to help 
individuals, businesses, and governments, and we've contributed to the 
development of privacy-enhancing protocols. 


We pioneered implementation of numerous technologies designed to ensure 
Internet service providers (ISPs) and other network observers cannot track 
websites their subscribers visit. Privacy Gateway builds on those efforts 

by relaying encrypted data packets through our servers to obscure user 

IP addresses. In 2022, we partnered with a period tracker app to enable 
Privacy Gateway to prevent the ISP and app from being able to associate 
individual IP addresses with the tracker. 


WARP with privacy-preserving geolocation 

A common issue with proxy services is they can impede features that users rely 
on, such as geolocation. Our approach to privacy-preserving geolocation is to 
replace the consumer’s actual IP address with another address assigned to a 
similar general geographic area. A consumer will thus get content for the correct 
country or region, but will not expose information about themselves to their ISP 
or other network observer. 


Zaraz 


Cloudflare Zaraz is a tool for safely loading third-party JavaScript tools on 
websites. It’s common for sites to have 10 or more third-party tools, which 

make hundreds of requests to other servers. With Zaraz, third-party JavaScript 
can run in Cloudflare Workers, where scripts don’t have access to the browser. 
Since Zaraz manages the data sent to third-party tools, developers can use it to 
configure filters on what data is forwarded, including different action types (e.g., 
blocking, reporting, or masking). 
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Privacy and security 
compliance certifications 


Privacy is at the heart of everything we do. 
We seek to build and maintain trust in 
Cloudflare’s ability to keep personal data 
private and follow security best practices. 
Here is a sample of the certifications we 
have completed as part of our commitment 
to privacy and security. 


ISO 27001:2013 

Enables organizations to secure 
data and reduce the risk of 
attacks by outlining a set of 
globally accepted management 
procedures and information 
security controls. 


ISO 27701:2019 

An international privacy standard 
for protecting and managing the 
processing of personal data. We 
have been ISO 27701 certified as 
a PII Processor and PII Controller 
since 2021. 


ISO 27018:2019 

Extends an Information Security 
Management System (ISMS) to 
protect personal data when being 
processed in a public cloud. 


SOC 2 Type ll 

A security certification that 
consists of a technical audit 

and a requirement to outline 
and follow comprehensive 
information security policies and 
procedures. 


PCI DSS 3.2.1 

Helps payment processors and 
financial institutions mitigate 
the risk of credit card fraud. 
We maintain PCI DSS Level 1 
compliance and have been PCI 
compliant since 2014. 


C5:2020 

Ensures cloud service providers 
adhere to a baseline of 
information security criteria. This 
auditing standard was created 
by Germany’s Federal Office for 
Information Security (BSI). 


Cloudflare for Government achieves 
FedRAMP Moderate authorization 


Our December 2022 achievement of FedRAMP Moderate for our 
Cloudflare for Government suite of products is the first step in our journey 
to help secure US government entities. The Federal Risk and Authorization 
Management Program (FedRAMP®) is a governmentwide program that 
provides a standardized approach to security assessment, authorization, 
and continuous monitoring for cloud products and services. 
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Human rights @ Cloudflare 


Cloudflare is committed to respecting human 
rights under the UN Guiding Principles on 
Business and Human Rights (UNGPs). 


To access a full version of Cloudflare’s human rights policy, please visit 
cloudflare.com/impact. 


Companywide human rights training 

In 2022, all Cloudflare employees completed training on Cloudflare’s human 
rights policy, commitments, and identifying and reporting potential human 
rights due diligence issues. 


Partnerships 

Cloudflare continues to serve as a full-term member of the Global Network 
Initiative (GNI), which is a multistakeholder initiative composed of information 
and communications technology companies, human rights and press freedom 
organizations, academics, and investors. Its goal is to protect and advance 
freedom of expression and privacy rights by setting a global standard 

for responsible company decision-making as well as advocating against 
government restrictions and demands online. 


Cloudflare is part of the B-Tech Project’s Community of Practice, which is 
operated by the Office of the UN High Commissioner on Human Rights, and 
provides authoritative guidance and resources for implementing the UNGPs 
in the technology space. 


Human rights principles and online abuse 
Cloudflare continues to advance its internal process to respond to online 
abuse by better incorporating human rights principles, including: 


Fair process for both complainants and users 


Proportionality 


Transparency 


Multistakeholder engagement 


For more information on Cloudflare’s approach to online abuse, please visit 
cloudflare.com/trust-hub/abuse-approach. 


B-Tech 


. GLOBAL 
NETWORK 
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Transparency @ Cloudflare 


An essential part of earning and maintaining the 
trust of our customers is being transparent about 
the requests we receive from law enforcement 
and other governmental entities. 


Transparency Report 


Warrant Canaries 


Cloudflare publishes semiannual updates to our Transparency Report on the 
requests we have received to disclose information about our customers. Each 
update includes information and data regarding government requests for 
information, requests for content blocking and removal due to copyright, and 
other government requests received by Cloudflare. In 2022, we expanded our 
Transparency Report to include information on Cloudflare’s response to Child 
Sexual Abuse Material (CSAM), as well as civil court orders on blocking and 


service termination. 


To view our most recent update to our Transparency Report, please visit 


cloudflare.com/transparency. 


Cloudflare has 
never turned over 
our encryption or 
authentication keys 
or our customers’ 
encryption or 
authentication keys 
to anyone. 


Cloudflare has 
never installed any 
law enforcement 
software or 
equipment anywhere 
on our network. 


Cloudflare has 
never provided any 
law enforcement 
organization a feed 
of our customers’ 
content transiting 
our network. 


Cloudflare also maintains an up-to-date list of actions we have never taken 


on our network. We call these Warrant Canaries. This list helps our customers 


understand how we have acted in the past, and how we intend to act in the 
future. It is also a useful way to keep customers informed about potential 
law enforcement or other legal orders that prevent us from disclosing them 


Cloudflare has never 
modified customer 
content at the request 
of law enforcement or 
another third party. 


Cloudflare has 
never modified the 
intended destination 
of DNS responses 
at the request of 
law enforcement or 
another third party. 


Cloudflare has 
never weakened, 
compromised, or 
subverted any of 
its encryption at 
the request of law 
enforcement or 
another third party. 
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Ethics and compliance @ Cloudflare 


We are committed to operating with the highest 
level of ethics and integrity in everything we do. 


Anti-corruption 

We are committed to working against corruption consistent with Principle 10 of 
the UN Ten Principles, as well as the United States Foreign Corrupt Practices Act, 
the United Kingdom Bribery Act of 2010, and other applicable laws. 


Our policy against corruption is reflected in our Code of Business Conduct and 
Ethics, as well as our Third Party Code of Conduct, additional internal policies, 
and our employee handbook. All Cloudflare employees complete annual training 
on bribery and corruption. All suppliers, resellers, and partners are screened 

at onboarding to ensure we do not partner with companies at high risk for 
corruption. We are in the process of launching a new anti-bribery course for 
partners. 


Our Internal Audit team conducted regionally specific audits of our channel 
partner program, including in APJC, EMEA, and LATAM, during 2021-2022. These 
audits tested various facets of the channel partner program to ensure we have 
effective controls in place, particularly in higher-risk locations. 


Ethical conduct 

Our Code of Business Conduct and Ethics addresses topics such as fair and 
accurate reporting, fair dealing and legal compliance, conflicts of interest, anti- 
harassment, non-discrimination, health and safety at work, and fair competition. 


Fair labor and modern slavery 

We are committed to the ILO Declaration on Fundamental Principles and 
Rights at Work, as well as Principle 3 of the UN Ten Principles regarding 
freedom of association and effective recognition of the right to collectively 
bargain. Cloudflare explicitly prohibits human trafficking, and the use of 
involuntary labor. These policies are reflected in our Modern Slavery Act 
Statement for Fiscal Year 2021. 


Cloudflare strives to work only with third parties who are committed to 
operating with the same level of ethics and integrity as we do. In addition 

to our Code of Business Conduct and Ethics, we now have a Third Party 
Code of Conduct, specifically formulated with our suppliers, resellers, 

and other partners in mind. It covers such topics as human rights, fair 

labor, environmental sustainability, anti-bribery and anti-corruption, trade 
compliance, anti-competition, conflicts of interest, data privacy and security, 
and government contracting. 


Sanctions compliance 

Our commitment to compliance includes programs that prohibit us from doing 
business with sanctioned parties. Our robust compliance program includes 
safeguards designed to prevent sanctioned parties from signing up for 
service. We actively screen our customers, resellers, vendors, and partners 
to identify links to sanctioned parties and countries. Our contracts include 
commitments from our customers, resellers, vendors, and partners that they 
will comply with all applicable sanctions laws, and that they are not, nor are 
they providing our services to, sanctioned parties or entities located or based 
in sanctioned countries. 
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A better Internet 
is for everyone. 


For communities and people around the world 
to reach their potential, everyone must have 
access to a secure, performant, and reliable 
Internet that is accessible, is built by diverse 
teams, and represents the perspectives of civil 
society and other stakeholders. 


Cloudflare Impact Report 2022 
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Democratizing access 
to new technologies 


We believe that providing access to the 
tools necessary to make the Internet faster, 
more reliable, and more secure benefits 
not only our customers but also the entire 
Internet community. 


Impact on small businesses 

Small businesses don't always have the budget for security services; our 
Free plan helps these entities be more resistant to disruption, especially from 
attacks. Millions of Cloudflare accounts use only services available in our 
Free plan. Together, these Free plan customers were responsible for roughly 
70 trillion requests over the Cloudflare network in 2022. This is a value of $7 
million of content delivery network services that they received at no cost. 
Many of our Free plan users are also leveraging Cloudflare Access for free. 


Post-quantum cryptography 

Cloudflare has begun deploying cryptography that will protect our customers 
from a sufficiently powerful quantum computer with the ability to decrypt 
any encrypted data that we have today. In July 2022, the US National 
Institute of Standards and Technology (NIST) announced which post- 
quantum cryptography they will standardize to be secure against the threat 
of quantum computers. In October 2022, we announced that, as a beta 
service, all websites and APIs served through Cloudflare would support 
post-quantum hybrid key agreement. This is on by default for all of our 
customers with no need for an opt-in. This means that if a browser or app 
supports it, the connection to our network is also secure against any future 
quantum computer. 


WAF for everyone 

Reflecting our core belief that security is something that should be 
accessible to everyone, this year, we started providing a Cloudflare WAF 
(Web Application Firewall) Managed Ruleset to all Cloudflare plans, free of 
charge. The new ruleset helps mitigate against high-profile vulnerabilities like 
Shellshock and Log4j, with the goal of a better and safer Internet for all. 
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Taking steps toward a better Internet 


Building an Internet that is truly for everyone — 
one that is safe, reliable, secure, and accessible 
— involves a lot of small steps. Here are a few 
we took this year. 


Joining the AS112 project 

Cloudflare is a new participant in the AS112 project, a community effort to 

run an important network service intended to handle reverse DNS lookup 
queries for private use addresses that should never appear in the public DNS 
system. With the addition of the Cloudflare global network, we can make huge 
improvements to the reliability and performance of this distributed public 
service. The AS112 project helps reduce the load on public DNS infrastructure 
and thus plays a vital role in maintaining the stability and efficiency of the 
Internet. 


Securing Internet routing with RPKI 

In a way, the Border Gateway Protocol (BGP) is the glue that keeps the entire 
Internet connected. It is a routing protocol — it picks the most efficient routes 
for delivering traffic. However, it lacks built-in security mechanisms and makes 
the Internet vulnerable when malicious actors inject bogus routing information. 
These fraudulent routes can be used for denial-of-service and other attacks. 


One way to secure BGP routing involves validating the origin of advertised 
routes using Resource Public Key Infrastructure (RPKI). Adoption of RPKI has 
been slow, however. To track BGP’s safety, we released a method to measure 
the current percentage of Internet users that are protected by their Internet 
service provider from BGP’s vulnerabilities. Worldwide, we observe very low 
effective coverage, which means there’s still a long way to go before we can 
declare BGP to be safe. 


Upgrading our time services 

For many industries, highly accurate time is critical, whether it’s for 
synchronizing global product releases or performing logging and error 
reporting. In 2019, we launched time.cloudflare.com, our public time service 
that enables users to obtain time in an authenticated manner. This year we 
announced two major improvements: 


Appendix 


To help ensure we have the most accessible, precise, and reliable time on the 
Internet, we're increasing the geographic spread of our available stratum zero 
time sources, which means that we will have increased reliability and reduced 
jitter in our available public time services. 


In response to user requests, we’re providing custom access to our time 
infrastructure. Users will be able to employ static IP addresses, custom host 
names, and other configuration options to set up how they want to feed highly 
precise, accurate, and available time into their infrastructure. 
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Project Safekeeping 


Under-resourced organizations that are vital to the functioning of 
communities around the world face relentless cyber attacks, which 
threaten basic needs for health, safety, and security. Starting December 13, 
2022, Cloudflare will help support these vulnerable institutions by providing 
our Enterprise-level Zero Trust cyber security suite to them at no cost, with 
no time limit. 


Protecting local infrastructure 

Many countries are prioritizing investment in cyber security for critical 
infrastructure at the national level, including major financial institutions, 
hospital networks, oil pipelines, and international airports. These tend to be 
large organizations with the technical expertise and financial resources to 
obtain a variety of state-of-the-art cyber security services. However, many 
local and municipal providers, including utilities, regional transportation, 
and medical providers, face the same threats but lack the resources to 
invest in cyber security. Earlier in 2022, Cloudflare offered a program to 
help provide free cyber security services to small, under-resourced critical 
infrastructure providers in the United States. 


Introducing our newest initiative, Project Safekeeping 

In December 2022, after consultation with public officials in numerous 
countries, Cloudflare elected to offer its free Zero Trust suite for critical 
infrastructure in five new markets — Australia, Germany, Japan, Portugal, 
and the United Kingdom. 


Eligible organizations will benefit from Zero Trust tools to help with: 


Connecting users to applications 


Filtering traffic 


Securing cloud applications 


Protecting sensitive data 


Improving email security 


Increasing web browsing safety 


For more information on the project or how to apply, please visit 
cloudflare.com/Ip/project-safekeeping. 
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Improving the Internet in 
next-generation markets 


Users in next-generation markets — such as countries in Africa and the 
Middle East as well as China, India, Indonesia, and Thailand — primarily 
access the Internet through their mobile devices. Getting closer to users in 
these markets is paramount for a seamless experience because of issues 
that particularly affect mobile device users. 


For example, interference from radio waves can add latency, and not all 
power grids can support the large radio towers necessary for stability 
and speed. Users in these markets typically have to go a long way to 
get to the rest of the Internet, leading to network congestion and poor 
Internet performance. 


Cloudflare has helped improve the Internet experience for these users 

by investing in next-generation markets. Almost 60% of the cities where 
Cloudflare has deployed equipment are in these markets, and almost 80% 
of our 107 new cities of the last four years have been as well. Cloudflare’s 
Edge Partner Program allows Internet service providers (ISPs) to integrate 
their networks physically and locally with Cloudflare, bringing us as close as 
possible to their users and improving not just end user performance, but the 
basic stability of a good Internet experience on the network, too. 


Project Pangea 


Last year, Cloudflare announced Project Pangea to help underserved 
community networks get access to the Internet for free. This year, 
Cloudflare expanded this program to support even more communities 
by relaxing the technical requirements to participate. Eligible 
networks can now access Pangea services — Internet connectivity, 
DDoS protection, network firewalling, traffic acceleration, and more 
— even if they do not have their own IPv4 space. 


According to Nick Wilson of Pangea participant Ayva Networks, 
“Reliable Internet in our community isn’t a privilege, it’s an essential 
utility, and often provides the only means of communication for 
many homes in our region as cellular service is generally rare.” Ayva 
Networks is a not-for-profit wireless Internet service provider that 
provides backbone and Internet services to approximately 400 
households in Colorado. 
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Prioritizing accessibility 


A free, user-friendly alternative to CAPTCHA 


CAPTCHAs, the tests that determine if online users are humans and not 
bots, do not have legions of fans. For a less frustrating means of identifying 
legitimate traffic, Cloudflare developed Turnstile, a free tool that any 
website owner can use. Instead of deploying a CAPTCHA, the site can call 
a simple API. Using Turnstile does not require sending traffic through the 
Cloudflare network. 


Beyond the wasted time, CAPTCHAs are concerning in other ways: 


Accessibility: Assuming all users Privacy: Most CAPTCHAs are served 
have the physical and cognitive from providers that make money by 
capabilities to solve them does selling ads. This means user data 
not help build an Internet that is can potentially be harvested for ad 
for everyone. retargeting, and some providers 


even give users a worse experience 
if they don’t have a third-party 
cookie in their browser. 


Turnstile automatically chooses from a rotating suite of browser challenges 
that work behind the scenes, looking for signals there is a human user. 
Another benefit is that it recognizes Private Access Tokens from users on the 
latest versions of macOS or iOS, allowing the validation of a device with the 
help of the device vendor — but without using device data to track users. 


A more inclusive Cloudflare 
dashboard experience 

We recently overhauled the 
Cloudflare dashboard, which now 
adheres to accessibility standards 
including Web Content Accessibility 
Guidelines (WCAG) 2.1 AA and 
Section 508 of the Rehabilitation Act. 


Our goal was to ensure that as many 
people as possible can be successful 
users of the dashboard to administer 
and protect their websites. 


Performing an audit with third-party 
experts to surface accessibility 
challenges 


Updating all forms on the Cloudflare 
dashboard with screen reader and 
keyboard users top of mind 


Re-engineering charts and graphs to 
be more accessible to keyboard and 
screen reader users 
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Communities @ Cloudflare 


Within Cloudflare, employee resource groups 
(ERGs) bring together people based on shared 
heritage, identities, and interests. Through 
in-person and virtual events and conversations, 
these groups promote inclusion, shared 
understanding, and allyship. They are an 
essential part of Cloudflare culture. Our newest 
ERG, Persianflare, kicked off in 2022. 


Afroflare Asianflare Cloudflarents Desiflare Flarability Greencloud Judeoflare Latinflare 


Mindflare Nativeflare Persianflare Proudflare Soberflare Vetflare Womenflare 
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Diversity @ Cloudflare 


We do our best work when teams are diverse and 
people feel like they can bring their whole selves to 
work. To improve diversity across departments and 
roles, we rely on inclusive recruiting practices to 
help ensure a fair process and we train employees 
on mitigating unconscious bias. 


Get more details about our commitment to diversity and related data at 
cloudflare.com/diversity-equity-and-inclusion. 


Overall Gender Identity US Overall Race/Ethnicity 


American Indian or Alaska Native: 0.36% 

Asian: 29.14% 

Black or African American: 5.89% 

Hispanic or Latino: 3.20% 

Native Hawaiian or Other Pacific Islander: 0.29% 
Two or More Races: 2.33% 

White: 58.79% 


@ Masculine / Male: 67.91% 
© Feminine / Female: 31.52% 


@ Agender, Bigender, Fluid, 
Nonbinary, Other, Queer: 0.57% 


Leadership Gender Identity 


@ Masculine / Male: 77.38% 
© Feminine / Female: 22.37% 
@ Other: 0.26% 
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Cloudflare Radar 


A bird's-eye view of Internet activity 

Through Cloudflare Radar, our free tool that highlights timely insights, 
threats, and trends, we make it possible for anyone to see the inner workings 
of the Internet. For example, individual users and nonprofits use Radar to 
track outages and gain visibility into attacks and traffic trends. Radar is 
powered by aggregated data from our network as well as our 1.1.1.1 public 
DNS resolver. 


Use cases include: 


Examining the traffic impacts of major sporting events 


Tracking disruptions caused by hurricanes and earthquakes 


Analyzing the adoption of new protocols 


We also publish Radar Reports, which provide an interactive and more 
detailed look at subjects like DDoS attacks and the Meris botnet. 


Introducing Radar 2.0 

In September 2022, we launched Cloudflare Radar 2.0. This upgrade 
provides a new user experience for uncovering insights, more types of data, 
and improved access to that data. 


With Radar 2.0, we also introduced the Cloudflare Radar Outage Center 
(CROC), which is an archive for large-scale Internet outages. With our 
application programming interface (API), civil society groups, journalists, 
and other impacted parties can integrate our outage data with their own 
tools and systems. 
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Collaborating with 
civil society organizations 


Internet shutdowns have long been a tool 
in government toolboxes when it comes to 
silencing opposition and cutting off access 
from the outside world. 


Many shutdowns occur during public protests, elections, and wars as an 
extreme form of censorship in places like Afghanistan, Democratic Republic 
of the Congo, Ukraine, India, and Iran. 


Cloudflare works with civil society organizations to provide tools to track and 
document the scope of these disruptions, which affect people’s everyday 
lives and erode trust in democratic institutions. We want to support their 
critical work so they can demand accountability and condemn the use of 
shutdowns to silence dissent. 


Tracking trends with Cloudflare Radar 

Many civil society organizations and those who work in democracy-building 
use Cloudflare Radar to track trends in countries and better understand the 
rise and fall of Internet usage, including via real-time alerts. Through open 
communication and brainstorming with Radar partners, we will keep iterating 
and creating new tools to protect human rights in the digital age. 


Learn more at radar.cloudflare.com. 
Radar partners 


THE 
CARTER CENTER 


Vij Internet 

(= — International Foundation . 
for Electoral Systems Society 

Sp Pulse 


“Cloudflare Radar is sometimes the first place that 


we hear about a shutdown, which is quite useful 
in a rapid response context, since we can quickly 
mobilize to verify the shutdown and have strong 
evidence when advocating against it.” 


— Zach Rosson, #KeepItOn Data Analyst, Access Now 


“For Radar 2.0 and the API, we plan to use it as 


part of the data aggregation tool we are 
developing. This internal tool will combine several 
outage alert and monitoring tools and sources 
into one single system so that we are able to track 
incidents more efficiently.” 


— Susannah Gray, Director, Communications, Internet Society 


Internew #KeepltOn 


Local voices. Global change. 


ANDI 
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A better Internet 
is sustainable. 


As part of our efforts to understand our impact 
on the planet and to address the climate crisis, 
we are taking steps to reduce our carbon 
footprint in our operations, across our network, 
and throughout the lifecycle of our infrastructure. 


Cloudflare Impact Report 2022 
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Emissions @ Cloudflare 


Our goal is to help build a greener, carbon-free 
Internet. To that end, Cloudflare powers our 
operations with 100% renewable energy, and 
we are working to document and account for 
our remaining emissions footprint. 


Cloudflare services yield significant emissions savings 

Preliminary findings from an upcoming study by Analysys Mason estimate 
that Cloudflare’s Web Application Firewall (WAF) “generates up to around 90% 
less carbon than on-premises appliances at low-medium traffic demand.” 
According to Analysys Mason, the study is based on modeling the use of on- 
premise appliances by enterprises, and comparing the energy consumption 
(and carbon emissions) of those appliances to the energy and carbon of 
equivalent functions provided by Cloudflare from its data centers. We expect 
the final report will be available in early 2023. 


Eliminating historical emissions 

Cloudflare committed to offsetting or removing all historical greenhouse gas 
(GHG) emissions resulting from powering our network by 2025. This year, we 
completed our analysis of our historical network footprint and determined that 
from our founding until our first offset purchases in 2018, our network emitted 
approximately 31,284 metric tons (MT) of carbon dioxide equivalent (CO2e). 
To begin to address those emissions, Cloudflare made its first offset purchase 
in 2022 by supporting a Verra verified REDD+ project in the state of Para, 
Brazil, for a total of 6,060 MT CO2e. Only 25,224 MT left to go! 


Scope 3 emissions 

Cloudflare continues to work on cataloging possible sources of Scope 3 
emissions, which cover carbon emitted by others, including supply chain 
and logistics emissions. We are committed to publishing those results. 

We published our first carbon emissions inventory in 2020, which included 
Scope 1 and Scope 2 emissions. We started with those two categories to 
comply with Greenhouse Gas Protocol requirements. However, we also 
understand that in order to be fully accountable for our footprint, our future 
reporting must also include Scope 3 data. 
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Emissions @ Cloudflare 


Greenhouse gas (GHG) emissions 


In September, we published our second emissions inventory for 2021 data. We also recorded two values within our Scope 2 emissions: 

We separated our calculations into Scope 1 and Scope 2. location-based and market-based. 

Scope 1 emissions capture Scope 2 emissions are indirect, Location-based is a calculation of Market-based emissions incorporate 
activities that emit GHGs directly capturing emissions resulting from the energy used multiplied by the the environmental benefits of 

into the atmosphere, like coal-fired energy purchased through the emissions factor of the electrical grid | voluntary purchases like Cloudflare’s 
power stations, furnaces, and gas- electrical grid. where the energy was consumed. renewable energy and carbon offset 
powered vehicles. purchases. 


Our emissions analysis was conducted pursuant to the GHG Protocol and ISO 
14064, and reviewed and verified by an independent third party (see Appendix). 
Cloudflare classifies all energy consumed by its networking hardware as 

Scope 2 emissions. 


Emissions Carbon Dioxide Equivalent (CO2e) Percent of Calculated 
Category in Metric Tons (MT) Total 


Scope 1 134 100% 
Scope 2' (Location-based) 15,488.03 100% 
Facilities 874.03 5.64% 
Network 14,614 94.36% 
Scope 2? (Market-based) (0) 100% 
Total (Market-based)* o 100% 


1Location-based emissions reflect the average emissions intensity of grids on which energy consumption occurs. 
?Market-based emissions reflect emissions from electricity that an organization has purposefully chosen. 
’Total (Market-based) emissions include Cloudflare’s 2021 verified offsets and renewable energy purchases. 
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Eliminating waste — recycling 
and repurposing hardware 


A major focus of our engineering and 
sustainability teams in 2022 was reducing 
the amount of waste associated with our 
global network. 


As a result, Cloudflare has implemented sustainability principles at every 
stage of our hardware design, procurement, servicing, and decommissioning 
processes, and we are making it easier for our customers to recycle, too. 


Extending service life through modular design 

As part of designing our next generation of servers, Cloudflare has implemented 
modular design principles that will allow our future upgrades to focus on 
individual hardware components rather than replacing the entire servers. This 
will allow our engineers to continue to improve the performance and efficiency 
of our hardware, while also making better use of systems and parts that do not 
require replacement. 


In addition, Cloudflare is working with our suppliers to ensure that the new 
modular components we buy use open source, rather than proprietary, firmware 
that will allow those parts to be resold instead of being sent to a landfill. 


Recycling and e-waste 

Ninety-five percent of Cloudflare data centers are covered by contractual 
agreements to resell or recycle decommissioned Cloudflare network equipment, 
wherever possible. Based on data from our decommissioning partner, over the 
prior 12-month period, 35% of Cloudflare decommissioned hardware was either 
resold or recycled. Sixty-five percent was destroyed. Approximately 99.3% of 
destroyed items were classified as data bearing devices, including SSD cards, 
and were wiped and destroyed consistent with Cloudflare security requirements. 


Recycling with Cloudflare and Iron Mountain 

In order to make it easier to decommission and dispose of our customers’ used 
hardware appliances in a sustainable way, Cloudflare is partnering with lron 
Mountain to offer preferred pricing and value-back for our customers that 
recycle or remarket legacy hardware through their service. For more information, 
visit Iron Mountain’s website. 
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Sustainable workplaces 


Taking a new look at how we work, 
in person and remotely. 


Beyond making thoughtful decisions about our network and hardware, we have 
also been examining how to ensure our offices — and the ways we use them 
— align with our sustainability goals. We approach the design process from a 
place of curiosity, viewing our workspaces as a sort of learning lab in which we 
can pilot new techniques and more widely deploy successful initiatives. 


Some of our changes are behavioral, like reducing the number of bottled 
beverages and shifting to bulk snacks. To help keep office furniture out of 
landfills, we have been reusing (and repurposing) our existing furniture where 
possible and lending unused items to work from home employees. 


Some of our other sustainability-focused decisions have included: 


Acoustic sound baffles made from post-consumer plastic beverage bottles 
instead of new synthetic fibers 


Wood wool panels on walls that resist heat and act as insulators, lowering 
our need for heat and air conditioning 


Carpet tile flooring made with 100% recycled content nylon, including 
post-consumer nylon from discarded fishing nets 


A 500-gallon rainwater harvesting system that provides water for plants inside 
our building 


What we're looking forward to 

One of the developments we're most excited for are EntroBees — an onsite 
bee colony at one of our offices. Beyond providing an essential habitat for 
urban bees and producing honey for our local employees, the bees will serve 
as an additional source of entropy for our LavaRand system that provides the 
source of randomness for our entire encryption system. 


= An example of sustainable 
| acoustic baffles 


A workspace featuring 
preserved moss and live plants 


E 


Rainwater harvesting system 
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More bots, more trees 


Cloudflare Bot Fight Mode protects web 
properties from bad bots online by rerouting 
them to computationally intensive but 
meaningless tasks. In 2019, Cloudflare 
committed to investing in tree planting projects 
to help account for increased CPU usage by 
bad bot makers caught in Cloudflare defenses. 


Good news about bad bots 

In 2022, Bot Fight Mode issued six times more challenges per day on average 
compared to last year thanks to a new detection system written using 
Cloudflare’s ruleset engine. As the number of bots we blocked increased, 

we also saw a change: bot operators started giving up. Bots encountering 
Cloudflare’s network are abandoning their challenges in about 1/6th of the time 
it takes the average good browser to pass a non-interactive challenge. 


40,000 trees planted and counting! 

Two of the planting projects that Cloudflare supported based on 2021 bot 
activity were completed this year. The first project included 25,000 trees as 
part of the restoration of 20 hectares of land in Victoria Park in Truro, Nova 
Scotia. For the second project, Cloudflare donated 10,000 trees to a much 
larger restoration project on the eastern shoreline of Kumirmari island in the 
Sundarbans of West Bengal, India. In total, the project included more than 
415,000 trees along 7.74 hectares of land, including as part of the Sundarbans 
mangrove forest. 


To recap, Cloudflare has donated 50,000 trees thus far as part of our mission 
to destroy bad bots online; 40,000 of those trees are already in the ground, 
10,000 are being prepared for planting, and we are pleased to announce that 
we are donating another 20,000 for 2022! 


To learn more about Bot Fight Mode and Super Bot Fight Mode, please visit 
cloudflare.com/pg-lp/bot-mitigation-fight-mode. 
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Appendix 


Part of how we execute on our goal to build a better Internet 
— and act transparently and ethically as a company — is 
through our global commitments and partnerships. 


The following pages contain our disclosures for the 
Global Reporting Initiative (GRI), Sustainability Accounting 
Standards Board (SASB), and UN Global Compact (UNGC)» 


Cloudflare Impact Report 2022 
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General Disclosures 
Omission 
Part Reason Explanation 
GRI Standard Reference Disclosure Answer Omitted for Omission of Omission 
Organization profile 102-1 Name of the organization Cloudflare, Inc. 
102-2 Activities, brands, products, 10-K Filing 
and services 
102-3 Location of headquarters 101 Townsend Street, San Francisco, CA 
102-4 Location of operations Cloudflare Office Locations 
10235 Ownership and legal form 10-K Filing 
102-6 Markets served 10-Q Filing 
10-K Filing 
102-7 Scale of the organization 10-Q Filing 
10-K Filing 
102-8 Information on employees and _—_ cloudflare.com/diversity-equity-and-inclusion 
Pete OURS! Cloudflare does not have a significant portion of its 
organizational activities performed by workers who are not 
employees. 
102-9 Supply chain 10-K Filing 
102-10 Significant changes to the Entire Not 
organization and its supply disclosure applicable 
chain 
102-11 Precautionary principle or See A Better Internet is sustainable, page 30. 
approach 
10212 External initiatives Cloudflare is a signatory of the UN Global Compact, and a 
member of the Global Networking Initiative. 
Cloudflare also participates in the Pledge 1% Initiative. 
102-13 Membership of associations Cloudflare participates in the following trade associations: 


BSA, i2c, CCIA, TechUK, Eco, Asia Internet Association, 
Bitkom, Germany Secure Online (Deutschland sicher im Netz), 
American Chamber of Commerce Japan, Communications 
Alliance, and US-China Business Council. 
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General Disclosures 
Omission 
Part Reason Explanation 
GRI Standard Reference Disclosure Answer Omitted for Omission of Omission 
Strategy 102-14 Statement from senior See statement from Cloudflare founders, page 2. 
decision-maker 
102-15 Key impacts, risks, and 10-K Filing 
opportunities See statement from Cloudflare founders, page 2. 
See Engineering privacy into the Internet, page 15. 
See Human rights @ Cloudflare, page 17. 
See UN disclosures, starting on page 60. 
Ethics and integrity 102-16 Values, principles, standards, Code of Business Conduct and Ethics 
and norms of behavior 
102-17 Mechanisms for advice and See Ethics and compliance @ Cloudflare, page 19. 
concerns about ethics Code of Business Conduct and Ethics 
Governance 102-18 Governance structure Proxy Statement Filing 
102-19 Delegating authority Reporting on environmental, social, and governance topics 
is generally conducted by the Public Policy team and is 
overseen by the General Counsel. 
102-20 Executive-level responsibility Cloudflare’s CEO has executive responsibility for 
for economic, environmental, implementation of environmental, social, and governance 
and social topics topics. 
102-21 Consulting stakeholders on Proxy Statement Filing 
sia dalla ana Multistakeholder engagement on human rights issues is led 
p by the Public Policy team. 
Nominating and Corporate Governance Committee Charter 
102-22 Composition of the highest Proxy Statement Filing 
governance body and its 
committees 
1O2523 Chair of the highest Proxy Statement Filing 
governance body 
102-24 Nominating and selecting the Proxy Statement Filing 
highest governance body Nominating and Corporate Governance Committee Charter 
102-25 Conflicts of interest Corporate Governance Guidelines 


Audit Committee Charter 
Code of Business Conduct and Ethics 
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General Disclosures 
Omission 
Part Reason Explanation 
GRI Standard Reference Disclosure Answer Omitted for Omission of Omission 
Governance 102-26 Role of highest governance Nominating and Corporate Governance 
body in setting purpose, Committee Charter 
values, and strategy 
102-27 Collective knowledge of The Nominating and Corporate Governance Committee, the 
highest governance body Audit Committee, and the Board of Directors were briefed on 
a variety of sustainability issues in 2022. 
102-29 Identifying and managing The Nominating and Corporate Governance Committee, the 
economic, environmental, and Audit Committee, and the Board of Directors were briefed on 
social impacts a variety of sustainability issues in 2022. 
102-30 Effectiveness of risk Proxy Statement Filing 
management processes 
102-31 Review of economic, The Nominating and Corporate Governance Committee, the 
environmental, and social Audit Committee, and the Board of Directors were briefed on 
topics a variety of sustainability issues in 2022. 
102-32 Highest governance body's Cloudflare’s Impact Report is managed by its General Counsel 
role in sustainable reporting and reviewed by its CFO and CEO. 
102533 Communicating critical The Nominating and Corporate Governance Committee, the 
concerns Audit Committee, and the Board of Directors were briefed on 
a variety of sustainability issues in 2022. 
102-34 Nature and total number of In 2022, there were no critical concerns as defined by 102-34 
critical concerns associated with this report that required reporting to the 
Board of Directors. 
102-35 Remuneration policies Proxy Statement Filing 
102736 Process for determining Proxy Statement Filing 
remuneration 
102=37 Stakeholders’ involvement in Proxy Statement Filing 
remuneration 
102-38 Annual total compensation Proxy Statement Filing 


ratio 
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General Disclosures 
Omission 
Part Reason Explanation 
GRI Standard Reference Disclosure Answer Omitted for Omission of Omission 
Stakeholder 102-40 List of stakeholder groups Cloudflare stakeholders include its customers, users, 
engagement employees, investors, partners, and any other groups that are 
materially affected by Cloudflare’s business or the decisions 
it makes. As part of its mission to help build a better Internet, 
Cloudflare also includes the Internet and Internet community 
generally among its stakeholder groups. 
102-41 Collective bargaining 10-K Filing 
agreements 
102-42 Identifying and selecting See 102-13 and 102-40. 
stakeholders See also Engineering privacy into the Internet, page 15. 
See Project Galileo, page 10. 
See Human rights @ Cloudflare, page 17. 
See Collaborating with civil society organizations, page 29. 
102-43 Approach to stakeholder Examples of engagement with stakeholders can be found 
engagement throughout Cloudflare’s 2022 Impact Report. 
Internally, all employees have the opportunity to engage in 
open dialogue through internal communication platforms, as 
well as through Employee Resource Groups (ERG) and the 
Cloudflare Inclusion Council. 
Externally, Cloudflare’s Legal, Policy, and Trust and Safety 
teams regularly engage in industry dialogue regarding 
Internet policy. Cloudflare also participates in a number of 
multistakeholder organizations as described in 102-13. Finally, 
Cloudflare regularly engages in multistakeholder consultation 
through programs like Project Galileo, which includes 50 civil 
society partner organizations. 
See Project Galileo, page 10. 
Reporting practice 102-44 Key topics and concerns Cloudflare gathers input on its key topics and concerns from 
raised stakeholders through a variety multistakeholder organizations 
including those described in 102-13 and 102-43. 
Human Rights Policy 
102-45 Entities included in the 10-Q Filing 
consolidated financial 10-K Filing 


statements 
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General Disclosures 
Omission 
Part Reason Explanation 
GRI Standard Reference Disclosure Answer Omitted for Omission of Omission 
Reporting practice 102-46 Defining report content and The report covers all of Cloudflare’s global operations. 
topic Boundaries The reporting period is calendar year (CY) 2022, unless 
otherwise stated. 
102-48 Restatements of information During 2022, there were no corrections or restatements of 
information given in the 2021 Cloudflare Impact Report. 
102-49 Changes in reporting There are no significant changes from previous reporting 
periods as described in 102-49. 
102-50 Reporting period CY2022 
102-51 Date of most recent report December 2021 
102752 Reporting cycle Annual 
102-53 Contact point for questions impact@cloudflare.com 
regarding the report 
102-54 Claims of reporting in This report is intended to align with the disclosure 
accordance with the GRI requirements as described in the GRI Standards. 
standards 
102-55 GRI content index Cloudflare 2022 GRI Content: Index (this document). 
102-56 External assurance Cloudflare’s greenhouse gas emissions were externally 


verified. See GRI 305. No other section of this report was 
externally verified. See SBC verification letter, page 67. 
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Economic 103-1 Explanation of material topic Economic performance is material to Cloudflare’s continued 
performance and its Boundary growth and long-term sustainability. 
10-K Filing 
Cloudflare’s management teams and CEO are responsible for 
economic performance as defined under 201-1. 
10352 The management approach 10-Q Filing 
and its components 10-K Filing 
10353 Evaluation of the Proxy Statement 
management approach Audit Committee Charter 
201-1 Direct economic value 10-Q Filing 
generated and distributed 10-K Filing 
Indirect economic 20372 Significant indirect Cloudflare provides world-class security, performance, and 
impacts economic impacts reliability services for millions of websites for free, through its 
free service plan. 
Cloudflare also provides free access to additional services for 
important civil society and humanitarian organizations as well 
as state and local governments and candidates for political 
office. 
See Project Galileo, page 10. 
See Athenian Project, page 11. 
Anti-corruption 103-1 Explanation of material topic Cloudflare is committed to conducting its business with 
and its Boundary integrity, as well as partnering with companies that share its 
same values against corruption. 
See Ethics and compliance @ Cloudflare, page 19. 
Code of Business Conduct and Ethics 
Third Party Code of Conduct 
103-2 The management approach Cloudflare manages corruption and bribery issues through 
and its components its policies prohibiting such conduct, and through its annual 
training and certification. 
Compliance with Cloudflare’s policy on anti-corruption as well 
as its training requirements are overseen by the Head of Legal 
Compliance and the General Counsel. 
103-3 Evaluation of the Corporate Governance Guidelines 


management approach 


Audit Committee Charter 
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GRI Standard Reference Disclosure 


Omission 


Part 


Answer Omitted 


Reason 
for Omission 


Explanation 
of Omission 


Anti-corruption 205:2 Communication and training 
about anti-corruption policies 


and procedures 


All employees, including senior managers, complete training 
on bribery and corruption at onboarding, and as part of 
annual training and certification. 


Cloudflare conducts a thorough screening of each supplier, 
reseller, and partner at onboarding and with real-time 
monitoring to ensure the company is not partnering with 
companies that pose a high risk of corruption. 


Cloudflare has selected an anti-bribery and anti-corruption 
training course for its third parties, and is preparing for rollout 
in January 2023. 


20573 Confirmed incidents of 


corruption and actions taken 


Cloudflare is aware of no incidents of corruption as described 
in 205-3 among its employees. As a result, no employee was 
dismissed or disciplined for corruption. 


Cloudflare is aware of no incidents of corruption among its 
contracted business partners. As a result, no related contract 
was terminated or discontinued on that basis. 


Cloudflare is aware of no associated legal cases brought 
against Cloudflare or its employees. 


Anti-competitive 10371 


behavior 


Explanation of material topic 
and its Boundary 


Cloudflare believes that competition laws and regulations 
throughout the world are designed to foster a competitive 
marketplace and prohibit activities that restrain trade. 


Cloudflare is dedicated to compliance with laws governing fair 
competition in all of its activities. Any activity that undermines 
this commitment is unacceptable. 


Code of Business Conduct and Ethics 


1032 The management approach 


and its components 


Anti-competitive behavior is covered by Cloudflare’s anti- 
bribery and anti-corruption policy and training, which is led 
by its Head of Legal Compliance, and overseen by its General 
Counsel. The purpose of Cloudflare’s policy is to ensure that 
all Cloudflare operations are conducted in accordance with 
relevant legal requirements and the highest ethical standards. 


103-3 Evaluation of the 


management approach 


Corporate Governance Guidelines 
Audit Committee Charter 


206-1 Legal actions for 
anticompetitive behavior, 
antitrust, and monopoly 


practices 


Cloudflare was involved in no legal actions regarding 
anti-competitive behavior, antitrust, or monopoly practices. 
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GRI Standard Reference Disclosure Answer Omitted for Omission of Omission 
Tax 103-1 Explanation of material topic Cloudflare’s global tax policy is to comply with the applicable 
and its Boundary tax laws, rules, regulations, and reporting requirements within 
the jurisdictions in which it operates, as supplemented with 
advice from external advisers. Cloudflare is committed to 
paying all taxes that are legally due and in line with the spirit 
of the tax legislation as enacted by the governing authorities 
within each jurisdiction in which it operates. 
103:2 The management approach Cloudflare’s tax policy is led by its Global Head of Tax and 
and its components overseen by the Chief Financial Officer. 
10333 Evaluation of the Corporate Governance Guidelines 
management approach Audit Committee Charter 
207-1 Approach to tax Cloudflare’s tax strategy and decisions are evaluated by 


internal tax professionals and are supplemented by the advice 
of outside advisers. The executive finance organization as 

a whole plays a role in all tax decisions and tax planning 
opportunities. 


Cloudflare’s approach to compliance is conservative and 
disciplined. Its internal tax team monitors the activities of the 
business, ensuring that appropriate care is applied in relation 
to all processes that could materially affect its compliance 
with its tax obligations. Cloudflare is committed to accurately 
filing its tax returns and remitting tax payments on a timely 
basis. Furthermore, Cloudflare actively monitors changes in 
tax laws, regulations, rules, and reporting requirements as 
part of its routine procedures in financial and tax reporting. 
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Tax 


207-2 Tax governance, control, 
and risk management 


Cloudflare’s Global Head of Tax reports directly to the Chief 
Financial Officer and is responsible for the implementation of 
Cloudflare’s global tax strategy. 


The day-to-day tax matters are managed by the internal tax 
team in conjunction with the Cloudflare worldwide finance 
organization. The Global Head of Tax and the internal tax team 
are predominantly located within the US and Portugal. 


Cloudflare’s approach to tax risks is to apply prudent risk 
management strategies while avoiding inefficiencies in the 
implementation of business decisions. Cloudflare seeks 

to reduce the level of tax risk arising from its worldwide 
operations as far as is reasonably practicable through active 
monitoring of changes in the company’s business activities 
and tax legislations. Further, Cloudflare seeks to manage tax 
risk by engaging external tax advisers for guidance in areas 
that are new, complex, or uncertain to ensure adequate risk 
reduction. 


At Cloudflare, the Audit Committee serves to assist the 
Board of Directors with fulfilling its responsibilities to 
oversee management’s financial, accounting, and reporting 
processes; Cloudflare’s system of internal financial controls; 
and its compliance with related legal, regulatory, and ethical 
requirements. The Audit Committee’s scope of responsibility 
includes matters related to global taxation and reporting. 


Cloudflare is a US SEC registered filer and is required to 
disclose tax-related information in accordance with its 
quarterly and annual reporting requirements thereunder. For 
more information, please visit the SEC Filings section of the 
Cloudflare website. 


20773 Stakeholder engagement and 
management of concerns 
related to tax 


Cloudflare’s global tax function engages with tax authorities 
as part of its routine tax compliance process and where 
deemed necessary to appropriately apply the tax statutes 

and regulations to its facts and circumstances. Additionally, 

it engages with tax authorities in connection with requests 

for additional information and audits over open return years as 
necessary. 


Cloudflare does not engage in public policy advocacy on 
tax issues. 


Cloudflare’s global tax function engages with internal and 
external stakeholders to facilitate strategic initiatives, growth, 
and development of its multinational enterprise. 
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Materials 301 Materials Entire Not material As a cloud-based SaaS 
disclosure provider, materials as 
described in GRI 301-1, 
301-2, and 301-3 are nota 
material issue as defined in 
GRI 103-1 for Cloudflare. 
Cloudflare is not aware 
of any facilities in which 
Cloudflare operates that 
have had a regulatory or 
compliance issue. 
Energy 10331 Explanation of the material Cloudflare uses purchased electricity to operate 
topic and its Boundaries its global network as well as its facilities. The 
Cloudflare network includes data centers 
located in over 100 countries and 275 cities 
around the world. Cloudflare also leases space 
in 16 facilities globally. All energy data included 
in this section is based on CY2021. 
Emissions Inventory 2021 
10352 The management approach The Cloudflare network is managed by the 
and its components Senior Vice President of Global Infrastructure. 
Cloudflare facilities are managed by the Senior 
Director, Head of Real Estate & Workplace 
Operations. 
108:3 Evaluation of the management Corporate Governance Guidelines 
approach 10-K Filing 
302-1 Energy consumption within Cloudflare consumed no non-renewable energy 


the organization 


as defined under GRI 302 in CY2021. 


Cloudflare consumed 49.5 gigawatt hours 
(GWh) total energy in CY2021. All consumed 
energy was obtained through grid electricity. 
Cloudflare matched its grid consumed 
electricity with renewable energy purchases 
as part of its commitment to 100% renewable 
energy. Cloudflare did not sell any renewable 
energy in 2021. 


Emissions Inventory 2021 
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Omission 


Environmental 
Part Reason 


GRI Standard Reference Disclosure Answer Omitted for Omission Explanation of Omission 


Energy 30252 Energy consumption outside Cloudflare compiles energy data from each of 
the organization its data centers. In locations where Cloudflare 
colocates data center equipment in a facility 
owned and controlled by a third party, 
Cloudflare does not record any energy used 
by that facility that is unrelated to Cloudflare- 
owned and -controlled equipment. 


30253 Energy intensity Based on 2021 total revenue and energy data, 
Cloudflare consumed .000075 megawatt hours 
(Mwh) of energy for every dollar of revenue 
generated. 


Water 303 Water and effluents Entire Not material As a cloud-based SaaS 
disclosure provider, water and 

effluents as described in 
303-1 through 303-5 are 
not a material issue as 
defined in GRI 103-1 
for Cloudflare. The 
UN CEO Global Water 
Mandate does not classify 
Cloudflare as either a 
medium- or high-risk 
enterprise for water 
usage. Cloudflare is not 
aware of any facilities 
that it operates that 
have had a regulatory or 
compliance issue. 


Cloudflare is working 

to better understand 
and reduce water usage 
at each of its facilities, 
though it does not 
anticipate that those 
efforts will result in a 
material disclosure. 
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Environmental 


Omission 
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Answer Omitted for Omission 


Explanation of Omission 


Emissions 


103-1 


Explanation of the material 
topic and its Boundaries 


Greenhouse gas (GHG) emissions associated 
with Cloudflare operations are the result of 
energy consumed by powering its network and 
facilities. Cloudflare emissions data included 
in this section describes Cloudflare’s calendar 
year 2021 activities. 


103-2 


The management approach 
and its components 


GHG emissions are managed by the 
Infrastructure, Places, and Policy teams. 


103-3 


Evaluation of the management 
approach 


Nominating and Corporate Governance 
Committee Charter 
Emissions Inventory 2021 


305-1 


Direct (Scope 1) 
GHG emissions 


See Emissions @ Cloudflare, page 32. 


Cloudflare recorded Scope 1 location-based 
emissions of 134 metric tons (MT) carbon 
dioxide equivalent (CO2e) in 2021. Cloudflare 
used the operational control consolidation 
approach, under the GHG Protocol. 


Emissions Inventory 2021 


305-2 


Energy indirect (Scope 2) 
GHG emissions 


See Emissions @ Cloudflare, page 32. 


Cloudflare recorded the following Scope 2 
emissions in 2021: 


Location-based emissions: 15,488.03 metric 
tons (MT) carbon dioxide equivalent (CO2e). 


Market-based emissions: 0 MT CO2e. 
Emissions Inventory 2021 


305-4 


GHG emissions intensity 


Based on its CY2021 location-based emissions, 
Cloudflare emitted .000024 MT (CO2e) per 
dollar of revenue generated. 


Cloudflare emitted O market-based emissions in 
CY2021. 
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Environmental 


Omission 
Part Reason F is 
GRI Standard Reference Disclosure Answer Omitted for Omission Explanation of Omission 
Emissions 305-6 Emissions of ozone-depleting Entire Not applicable Cloudflare is not aware of 
substances (ODS) disclosure any ODS in its products, 
processes, or services. 
23057 Nitrogen oxides (NOx), sulfur Entire Not applicable Cloudflare is not aware 
oxides (SOx), and other disclosure of any of its activities 
significant air emissions that result in emission 


of nitrogen oxides, 
sulfur oxides, or other 
significant air emissions 
identified in 305-7. 


Effluents and waste 306 Effluents and waste Ninety-five percent of Cloudflare data centers 
are covered by contractual agreements to resell 
or recycle decommissioned Cloudflare network 
equipment, wherever possible. 


Based on data from Cloudflare’s provider, over 
the prior 12-month period, 35% of Cloudflare 
decommissioned hardware was either resold or 
recycled. Sixty-five percent was destroyed. 


Approximately 99.3% of destroyed items were 
classified as data bearing devices, including 
SSD cards, and were wiped and destroyed for 
security purposes. 


Environmental 307-1 Non-compliance with Cloudflare is not aware of any non-compliance 
compliance environmental laws and with environmental laws or regulations. 
regulations 
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Employment 103-1 Explanation of material topic Cloudflare provides employees with a variety of voluntary 
and its Boundary programs to promote worker health. 
Cloudflare provides access to an Employee Assistance 
Program (EAP), which includes licensed professional 
counseling services, including work/life balance assistance. In 
addition, Cloudflare employees have access to an on-demand 
digital mental health and well-being platform. 
Cloudflare provides access to a fertility benefit that covers 
a variety of family planning services, including fertility 
treatment, adoption, and gestational carrier support — also 
referred to as surrogacy. 
103:2 The management approach Employment at Cloudflare is overseen by the Head of People 
and its components and the President + COO. 
103-3 Evaluation of the 10-K Filing 
management approach Compensation Committee Charter 
401-1 New employee hires and In 2022 (as of Dec. 15, 2022), Cloudflare hired 1,300 
employee turnover employees and experienced a turnover rate of 15.9% 
(as of Dec. 15, 2022). 
401-3 Parental leave Cloudflare’s global parental leave policy allows a minimum 
of 16 paid weeks of bonding leave time for all qualifying new 
parents, with no interruption in health benefits. This is in 
addition to any local, state, and federal benefits. 
Occupational health 403-1 Occupational health and Cloudflare’s global Safe & Healthy Workplace Policy confirms 


and safety 


safety management system 


Cloudflare’s commitment to maintaining a safe and healthy 
work environment for its employees, customers, vendors, 
and all others with whom employees come into contact 
during their work. Among other topics, the policy explains 
the responsibility that is shared for following Cloudflare’s 
safety policies and instructions, encourages the reporting 

of potential hazards as well as injuries and accidents to 

the company, describes its reporting process, and shares 
additional health and safety resources and programs that are 
provided by Cloudflare. 


Cloudflare is in the process of implementing a new 
comprehensive health and safety program, which will 
include employee training, site risk assessments, and 
accident reporting, monitoring, and reviewing. The program 
implementation is expected to be complete by Q3 2023. 


Code of Business Conduct and Ethics 
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GRI Standard Reference Disclosure Answer Omitted for Omission of Omission 
Occupationalhealth 403-2 Hazard identification, risk Cloudflare’s health and safety program includes office health 
and safety assessment, and incident and safety audits. Results of the audit are reviewed by the 
investigation Places, Physical Security, Employee Legal, and People teams 
for proactive hazard identification and remediation. 
The program also includes a post-incident after-action 
review to identify incident causes and implement necessary 
prevention measures. 
403-6 Promotion of worker health Cloudflare provides employees with a variety of benefits and 
programs to promote worker health. 
Employee access to non-occupational health services 
includes healthcare insurance, EAP, family forming benefits, 
fitness program access through the healthcare provider, and 
an on-demand digital mental health and well-being platform. 
403-9 Work-related injuries In 2022, Cloudflare experienced no fatalities as a result of 
work-related injury. 
In 2022, Cloudflare experienced no high-consequence 
work-related injuries. 
Training and 10871 Explanation of material topic Learning and development at Cloudflare provides the tools 
education and its Boundary and resources for all Cloudflare employees to grow and 
develop skills critical for success (Cloudflare Capabilities) and 
build an empathetic and inclusive community. 
103-2 The management approach Learning and development at Cloudflare is overseen by the 
and its components Head of People and the President + COO. 
103-3 Evaluation of the At Cloudflare, we want to be a place where the best leaders 
management approach (at all levels) are developed. Our Leading @ Cloudflare 
program encompasses learning paths around personal 
leadership, role as a manager, creating inclusive teams, and 
helping team members develop and perform. 
404-1 Average hours of training per Of the employees who participated in development training 


year per employee 


for 2022, they completed a total of 3,720 hours. On average, 
each employee completed 3.1 hours of training. 
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Diversity and equal 103-1 Explanation of material topic See Diversity @ Cloudflare, page 27. 
opportunity and its Boundary See Communities @ Cloudflare, page 26. 
Cloudflare Diversity, Equity, and Inclusion 
103-2 The management approach Cloudflare diversity initiatives are overseen by the Head 
and its components of People and the President + COO. Cloudflare diversity 
initiatives are also advanced by its Employee Resource 
Groups and their executive champions. 
Cloudflare Diversity, Equity, and Inclusion 
1O3=3 Evaluation of the 10-K Filing 
management approach 
405-1 Diversity of governance Cloudflare Diversity, Equity, and Inclusion 
bodies and employees 
405-2 Ratio of basic salary and Cloudflare conducts an internal pay parity analysis at least 
remuneration of women once a year. Cloudflare has committed to the EU Charter, the 
to men UK Tech Talent Charter, and the German Diversity Charter. 
Cloudflare Diversity, Equity, and Inclusion 
Freedom of 103-1 Explanation of material topic Cloudflare recognizes and respects its employees’ right 
association and its Boundary to freedom of association and collective bargaining within 
and collective federal and local laws and regulations. Cloudflare is also 
bargaining committed to the ILO Declaration on Fundamental Principles 
and Rights at Work. 
Human Rights Policy 
103-2 The management approach 10-K Filing 
and its components 
103-3 Evaluation of the 10-K Filing 
management approach 
407-1 Operations and suppliers in Cloudflare recognizes and respects its employees’ right 


which the right to freedom 
of association and collective 
bargaining may be at risk 


to freedom of association and collective bargaining within 
federal and local laws and regulations. Cloudflare is also 
committed to the ILO Declaration on Fundamental Principles 
and Rights at Work. 


Human Rights Policy 
Cloudflare is not aware of any operations in 2022 in which the 


rights of employees to freely associate or collectively bargain 
were at risk. 
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Child labor 103-1 Explanation of material topic Cloudflare is committed to the ILO Declaration on 
and its Boundary Fundamental Principles and Rights at Work, including the 
prohibition on the use of child labor in its operations or among 
its suppliers. 
Human Rights Policy 
Third Party Code of Conduct 
103:2 The management approach All Cloudflare employees are required to complete mandatory 
and its components compliance training, including regarding Cloudflare’s human 
rights policy, which includes its prohibition on child labor. 
Business partners, resellers, suppliers, and vendors are 
regularly reviewed by legal, compliance, security, and senior 
leadership teams at Cloudflare. Evaluations of suppliers 
and vendors begin during the onboarding process and are 
periodically assessed for any material changes. 
103:3 Evaluation of the Cloudflare’s Human Rights Policy is overseen by the Director, 
management approach Head of Cloudflare Impact; VP, Global Head of Public Policy; 
and General Counsel. 
Cloudflare’s Third Party Code of Conduct is overseen by its 
Head of Legal Compliance and General Counsel. 
408-1 Operations and suppliers at Cloudflare is not aware of any of its operations or suppliers 
significant risk for incidents of that have significant risks for incidents of child labor or young 
child labor workers exposed to hazardous work. 
Although Cloudflare has identified no significant risk of child 
labor, it continues to regularly review its partners, resellers, 
suppliers, and vendors to ensure compliance with its policy. 
Forced or 103-1 Explanation of material topic Cloudflare is committed to the ILO Declaration on 
compulsory labor and its Boundary Fundamental Principles and Rights at Work. To that end, 
Cloudflare expressly prohibits forced or compulsory labor in 
its operations or among its suppliers. 
Modern Slavery Act Statement 
Human Rights Policy 
Third Party Code of Conduct 
103-2 The management approach All Cloudflare employees are required to complete mandatory 


and its components 


compliance training, including regarding Cloudflare’s 
prohibition on forced or compulsory labor. 


Business partners, resellers, suppliers, and vendors are 
regularly reviewed by legal, compliance, security, and senior 
leadership teams at Cloudflare. Evaluations of suppliers 

and vendors begin during the onboarding process and are 
periodically assessed for any material changes. 
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Forced or 10373 Evaluation of the Cloudflare’s Modern Slavery Act Statement and associated 
compulsory labor management approach policies, including prohibition on forced or compulsory labor, 
are overseen by its Head of Legal Compliance and General 
Counsel, and reviewed and approved by Cloudflare’s Board of 
Directors. 
409-1 Operations and suppliers at Cloudflare is not aware of any of its operations or suppliers 
significant risk for incidents of that have significant risks for incidents of forced or 
forced or compulsory labor compulsory labor. 
In 2022, as in previous years, Cloudflare continues to 
explicitly prohibit forced or compulsory labor in its operations 
and among its suppliers. Although Cloudflare has identified 
no significant risk of forced or compulsory labor, it continues 
to regularly review its partners, resellers, suppliers, and 
vendors to ensure compliance with its policy. 
Human rights 103-1 Explanation of material topic Human Rights Policy 
assessments and its Boundary 
10352 The management approach Human Rights Policy 
and its components 
10333 Evaluation of the Human Rights Policy 
management approach 
412-1 Operations that have Cloudflare is scheduled to complete its first human rights 
been subject to human self-assessment consistent with the Global Network 
rights reviews or impact Initiative’s (GNI) human rights principles in January 2023. 
assessments 
In addition, Cloudflare’s Public Policy team regularly engages 
in multistakeholder dialogue on human rights issues, including 
as part of the GNI and UN B-Tech Project Community of 
Practice. 
412-2 Employee training on human All Cloudflare employees completed human rights training 
rights policies or procedures in 2022. 
Supplier social 414-1 Supplier social assessment Cloudflare’s procurement team is in the process of 


assessment 


implementing a new software tool that will enable the 
company to screen suppliers using social criteria beginning in 
2023. 
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Public policy 103-1 Explanation of material topic Cloudflare’s Public Policy team serves as a conduit between 
and its Boundary the company and regulators, policymakers, civil society, and 
the public on policy issues relevant to Cloudflare’s mission to 
help build a better Internet 
103:2 The management approach As a global company, Cloudflare sees the way that the future 
and its components of the Internet is affected by governments, regulations, 
and people. We believe that if we want to help build 
a better Internet, we have to make sure that we share 
Cloudflare’s perspective in the many places where important 
conversations about the Internet are happening. And that is 
why we believe strongly in the value of public policy. 
We publish descriptions of our lobbying activities in lobbying 
disclosure forms and transparency registers of governmental 
entities, in jurisdictions where these exist. 
10353 Evaluation of the management The Public Policy team is overseen by the Vice President and 
approach Global Head of Public Policy and the General Counsel. 
415-1 Political contributions Cloudflare made no political contributions in 2022, and does 
not operate a Political Action Committee. 
Cloudflare participates in several trade associations and 
industry groups; however, none of those organizations 
is primarily organized for the purpose of making political 
contributions. For more information, see 102-13. 
Customer privacy 103-1 Explanation of material topic See Engineering privacy into the Internet, page 15. 
and its Boundary See Privacy and security compliance certifications, page 16. 
Privacy Policy 
Cloudflare GDPR 
10352 The management approach Cloudflare’s Privacy and associated policies are overseen by 
and its components its Data Protection Officer and General Counsel. 
418-1 Substantiated complaints Cloudflare did not receive any substantiated complaints 
concerning breaches of concerning breaches of customer privacy and losses of 
customer privacy and losses customer data in 2022. 
of customer data 
Socioeconomic 419-1 Non-compliance with laws and Cloudflare is not aware of any non-compliance with laws or 


compliance 


regulations in the economic or 
social area 


regulations in the social area. 
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SASB - Technology 
& Communications Sector Software & IT Services 
Topic Code Accounting Metric Category Answers 
Environmental TC-S1-130a.1 1) Total energy consumed, 2) percentage grid electricity, Cloudflare consumed 49.5 GWh in 2021. All consumed energy 
footprint of 3) percentage renewable was obtained through grid electricity. Cloudflare matched its grid 
hardware consumed electricity with renewable energy purchases as part of 
infrastructure its commitment to 100% renewable energy. Cloudflare did not sell 
any renewable energy in 2021. 
Emissions Inventory 2021 
TC-S1-130a.2 1) Total water withdrawn, (2) total water consumed, See GRI 303. 
percentage of regions with High or Extremely High 
Baseline Water Stress 
TC-SI-130a.3 Discussion of the integration of environmental Cloudflare includes both energy efficiency and carbon intensity 
considerations into strategic planning for data center in its data center strategic planning. Cloudflare also continuously 
needs designs and deploys energy-efficient hardware in its data centers 
to minimize its overall energy footprint per workload. 
Data privacy TC-SI-220a.1 Description of policies and practices relating Privacy Policy 
& freedom of to behavioral advertising and user privacy Cloudflare Cookie Policy 
expression 
TC-SI-220a.2 Number of users whose information is used for Cloudflare only processes personal information for the purposes 
secondary purposes of providing the Cloudflare service, which includes ongoing 
assessment of traffic patterns, security threats, and network 
operations in order to monitor the health of and improve the 
service. 
TC-SI-220a.3 Total amount of monetary losses as a result of legal Cloudflare did not experience any monetary losses as the result of 
proceedings associated with user privacy legal proceedings associated with customer privacy. 
TC-SI-220a.4 1) Number of law enforcement requests for user Cloudflare receives requests for different kinds of data on its users 


information, 2) number of users whose information was 
requested, 3) percentage resulting in disclosure 


from US and foreign governments, courts, and those involved in 
civil litigation. It provides a detailed report on these requests in the 
semiannual Transparency Report. 


Transparency Report 
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SASB - Technology 
& Communications Sector Software & IT Services 
Topic Code Accounting Metric Category Answers 
Data privacy TC-SI-220a.5 List of countries where core products or services are An essential part of earning and maintaining the trust of Cloudflare 
& freedom of subject to government-required monitoring, blocking, customers is being transparent about the requests Cloudflare 
expression content filtering, or censoring receives from law enforcement and other governmental entities. 


To this end, Cloudflare publishes semiannual updates to its 
Transparency Report on the requests it has received to disclose 
information about Cloudflare customers. In addition, Cloudflare 
maintains a list of warrant canaries on its website, which list 
actions Cloudflare has never taken, and commits to exhausting 
all legal remedies in order to protect its customers from what the 
company believes are illegal or unconstitutional requests. 


Cloudflare also may receive written requests from law 
enforcement, government agencies, or foreign courts to block 
access to content based on the local law of the jurisdiction. 
Because of the significant potential impact on freedom of 
expression, Cloudflare will evaluate each content blocking request 
on a case-by-case basis, consistent with its human rights policy, 
analyzing the factual basis and legal authority for the request. 

If Cloudflare determines that the order is valid and requires 
Cloudflare action, it may limit blocking of access to the content to 
those areas where it violates local law, a practice known as “geo- 
blocking.” Cloudflare will attempt to clarify and narrow overbroad 
requests when possible. Cloudflare reports on these requests in its 
semiannual Transparency Report. 


Cloudflare has also received a small number of legal requests 
related to blocking or filtering content through the 1.1.1.1 Public 
DNS Resolver. Because such a block would apply globally to all 
users of the resolver, regardless of where they are located, it would 
affect end users outside of the blocking government's jurisdiction. 
Cloudflare therefore evaluates any government requests or 

court orders to block content through a globally available public 
recursive resolver as requests or orders to block content globally. 


Given the broad extraterritorial effect, as well as the different 
global approaches to DNS-based blocking, Cloudflare has pursued 
legal remedies before complying with requests to block access 

to domains or content through the 1.1.1.1 Public DNS Resolver or 
identified alternate mechanisms to comply with relevant court 
orders. To date, Cloudflare has not blocked content through the 
1.1.1.1 Public DNS Resolver. 


Transparency Report 
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SASB - Technology 
& Communications Sector Software & IT Services 
Topic Code Accounting Metric Category Answers 
Data security TC-SI-230a.1 1) Number of data breaches, 2) percentage involving See GRI 418-1. 
personally identifiable information (PII), 3) number of 
users affected 
TC-SI-230a.2 Description of approach to identifying and addressing Cloudflare has implemented a formal security risk program that 
data security risks, including use of third-party cyber adheres to industry standards such as ISO 27000, 27701, and 
security standards 27018; PCI DSS; SOC 2 Type II; and C5; and has been evaluated by 
third-party assessors against the requirements. 
Cloudflare Trust Hub 
Recruiting and TC-SI-330a.1 Percentage of employees that are (1) foreign nationals Percentage of employees that are foreign nationals per country: 
managing a and 2) located offshore Australia: 6% 
global, diverse a 
& skilled Canada: 13% 
Worktorce France: 8% 
Germany: 20% 
Japan: 18% 
Netherlands: 33% 
Portugal: 46% 
Singapore: 48% 
UAE: 100% 
UK: 25% 
US: 9% 
India: 0% 
South Korea: 0% 
China: 0% 
Percentage of employees located offshore: 0.03% (1 out of 3194) 
TC-SI-330a.3 Percentage of gender and racial/ethnic group Cloudflare Diversity, Equity, and Inclusion 


representation for 1) management, 2) technical staff, and 
3) all other employees 
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SASB - Technology 

& Communications Sector Software & IT Services 

Topic Code Accounting Metric Category Answers 

Intellectual TC-SI-520a.1 Total amount of monetary losses as a result of legal Cloudflare incurred no monetary losses resulting from 

property proceedings associated with anti-competitive behavior anticompetitive behavior regulations. 

protection & regulations 

competitive 

behavior 

Managing TC-SI-550a.1 Number of 1) performance issues, and 2) service Cloudflare modified its disclosure consistent with the SASB 

systemic risks disruptions; 3) total customer downtime Standards Application Guidance. 

Sipe an In June 2022, Cloudflare experienced an outage of about 1.5 

p hours affecting 19 data centers following a change in network 
configuration. This caused some users to be unable to access 
Internet properties. 
In October 2022, the company experienced an incident that 
affected customers using Tiered Cache for a period of almost six 
hours; affected customers reported HTTP Status Code 530 errors. 
The incident was caused by a bug in a software release. 
TC-SI-550a.2 Description of business continuity risks related to 


disruptions of operations 


10-Q Filing 
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UN Ten Principles 
Human Rights Cloudflare Action 


Principle 1: Businesses should support and respect the 
protection of internationally proclaimed human rights; and 


Cloudflare maintained its commitment to respecting 
human rights under the UN Guiding Principles on Business 
and Human Rights (UNGPs) in 2022. 


In addition, Cloudflare participated in numerous 
multistakeholder initiatives committed to advancing 
international human rights. 


Principle 2: make sure that they are not complicit in human 
rights abuses. 


Cloudflare continues to develop and implement human 
rights due diligence processes across its operations, as 
well as consult with a variety of stakeholder organizations 
on topical human rights issues. 


Outcomes 


In 2022, Cloudflare instituted mandatory human rights 
training for all employees, including its senior management 
team, regarding the company’s commitment to the UNGPs. 


Cloudflare was a full-term member of the Global Network 
Initiative (GNI) in 2022, which is committed to helping 
protect and advance freedom of expression and privacy 
online. As part of its participation, Cloudflare participated 
in regular briefings with GNI members and civil society 
experts on topical human rights issues related to the 
technology industry. 


Cloudflare also participated in the B-Tech Project 
Community of Practice, which is a working group 
operated by the UN High Commissioner on Human Rights’ 
office, that works to provide authoritative guidance and 
resources for technology companies implementing the 
UNGPs. 


Cloudflare continues to work toward its first 
comprehensive self-assessment of its internal human 
rights practices as required under the GNI Principles. 
Cloudflare’s assessment will be presented to the GNI 
Board of Directors. 


Principle 3: Businesses should uphold the freedom of 
association and the effective recognition of the right to 
collective bargaining; 


As part of Cloudflare’s commitment to the ILO Declaration 
on Fundamental Principles and Rights at Work, Cloudflare 
works to uphold freedom of association and the effective 
recognition of the right to collective bargaining. 


Principle 4: the elimination of all forms of forced and 
compulsory labor; 


Cloudflare explicitly prohibits human trafficking and the 
use of involuntary labor. 


As reported in Cloudflare’s 10-K filing, the company has 
not experienced any work stoppages, and believes its 
employee relations are strong. 


Cloudflare was named to Newsweek’s 100 Most Loved 
Workplaces 2022, ranking at #55. Newsweek and BPI 
surveyed more than a million employees of hundreds 
of companies, asking about job satisfaction, emotional 
connection, collaboration, and many other factors. 


All Cloudflare employees completed mandatory 
compliance training, including regarding Cloudflare’s 
prohibition on forced or compulsory labor, in 2022. 


Cloudflare’s legal compliance staff regularly reviews and 
evaluates business partners, resellers, suppliers, and 
vendors to ensure compliance with Cloudflare policies, 
including regarding forced or compulsory labor. 


Contents 


Introduction Principled Everyone 


Sustainable Appendix 


Labor (continued) Cloudflare Action 

Cloudflare is committed to the ILO Declaration on 
Fundamental Principles and Rights at Work, including the 
prohibition on the use of child labor in its operations or 
among its suppliers. 


Principle 5: the effective abolition of child labor; and 


Human Rights Policy 
Third Party Code of Conduct 


Principle 6: the elimination of discrimination in respect of 
employment and occupation. 


Diversity, equity, and inclusion are essential to the success 
of Cloudflare. Since its founding, Cloudflare has worked 

to cultivate and maintain an inclusive workplace that 
empowers all employees to show up, as their full selves, 
and do their best work. 


Outcomes 


Cloudflare’s legal compliance staff regularly reviews and 
evaluates business partners, resellers, suppliers, and 
vendors to ensure compliance with Cloudflare policies, 
including regarding forced or compulsory labor. 


In 2022, all employees completed training on Cloudflare’s 
human rights policy, which includes its prohibition on child 
labor. 


All Cloudflare employees completed training on 
harassment and discrimination in 2022. 


In June, Cloudflare held a companywide week on 
antiracism training and education, including allyship 
workshops, training on unconscious bias, training on 
recognizing and responding to signs of distress and 
cultural considerations, and healing circles for Black 
Cloudflare employees. Cloudflare also provides additional 
antiracism resources like racial equity training. 


Cloudflare managers are provided access to additional 
training courses on antiracism allyship, inclusive people 
management, and inclusive interviewing. 


To help improve transparency and accountability 
associated with its ongoing efforts to improve diversity, 
Cloudflare published its employee diversity data in 2022. 


In 2022, Cloudflare implemented a new Third Party Code 
of Conduct that requires all suppliers to have clear policies 
and enforcement of anti-discrimination and harassment. 


Principle 7: Businesses should support a precautionary Cloudflare is committed to: 


approach toienyironmenta cnal enges: e Powering its network with 100% renewable energy. 
e Removing or offsetting all historical emissions resulting 
Principle 8: undertake initiatives to promote greater from powering Cloudflare’s network by 2025. 


environmental responsibility; and 


Principle 9: encourage the development and diffusion of 
environmentally friendly technologies. 


Cloudflare is developing environmentally friendly 
technologies by helping our customers use the power of 
Cloudflare’s network to leverage better climate outcomes. 


See Emissions @ Cloudflare, page 31. 


In 2022, Cloudflare published its CY2021 emissions 
inventory disclosing its Scope 1 and Scope 2 emissions. 


In 2022, Cloudflare purchased 49.5 GWh of renewable 
energy to account for its global energy use. 


Cloudflare reported zero market-based Scope 1 and Scope 
2 emissions in 2021. Cloudflare published its second 
greenhouse gas (GHG) emissions inventory in 2022, 

which was prepared consistent with the Greenhouse Gas 
Protocol and was independently verified. 
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Principle 10: Businesses should work against corruption in 
all its forms, including extortion and bribery. 


UN Sustainable Development Goals 


SDG 4. Quality Education 


Cloudflare Initiative 


Support for US Historically Black College and Universities 
(HBCU) technology competition. 


SDG 5. Gender Equality 


Cloudflare Initiative 


Commitments to gender equality and pay equity. 


SDG 7. Affordable and Clean Energy 


Cloudflare Initiative 


Commitment to 100% renewable energy. 


Cloudflare’s policy against bribery and corruption is 
reflected in its Code of Business Conduct and Ethics, as 
well as its internal-facing Anti-Bribery and Corruption 
Policy and employee handbook. 


Cloudflare conducts a thorough screening of each 
supplier, reseller, and partner at onboarding and with real- 
time monitoring, to ensure that it is not partnering with 
companies that pose a high risk of corruption. 


Cloudflare is committed to conducting its business with 
integrity, as well as partnering with companies that share 
its same values against corruption. 


In 2022, all employees completed training on bribery and 
corruption at onboarding, and as part of annual training 
and certification. 


In 2022, Cloudflare implemented a new, robust Third Party 
Code of Conduct, which includes its commitment against 
corruption. 


In 2022, Cloudflare supported the HBCU Smart Cities 
program, which partners student participants with city 
officials from historically Black cities and towns to help 
solve public policy challenges. Cloudflare was proud 
to offer free access to its products, provide mentors to 
student teams, and participate in a town hall event. 


Cloudflare signed several diversity charters to improve 
accountability for its gender equality and pay equity 
efforts, including the EU Charter and UK Tech Talent 
Charter. Cloudflare has also committed to the German 
Diversity Charter. 


Cloudflare matched its 2021 energy use with 100% 
renewable energy purchases. 


Cloudflare’s corporate headquarters in San Francisco, 
California, is powered by 100% Green-e Energy certified 
renewable energy, provided through CleanPowerSF’s 
SuperGreen service. 
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SDG 9. Industry, Innovation and Infrastructure 


Helping underserved communities expand access to the Target 9.c - Significantly increase access to information 

Internet for free. and communications technology and strive to provide 
universal and affordable access to the Internet in least 
developed countries by 2020. 


SDG 13. Climate Action 


In 2022, Cloudflare expanded Project Pangea to include 
community networks without their own dedicated IP 
space. Project Pangea helps locally built, community 
networks to connect to the global Internet through the 
Cloudflare network for free. 


Cloudflare was proud to join the newly created 
Montgomery, Alabama, Internet Exchange (MGMix), 
which has significantly improved Internet speed and 
performance in a historically underserved area. 


Cloudflare published its second comprehensive 
greenhouse gas emissions inventory report. 


Commitment to mitigate Cloudflare’s historical carbon 
emissions footprint. 


In 2022, Cloudflare published its second emissions 
inventory, which documents the company’s 2021 Scope 1 
and Scope 2 emissions, consistent with the GHG Protocol, 
and was verified by an independent third-party reviewer. 


Cloudflare is also committed to offsetting or removing all 
historical emissions associated with powering its network 
by 2025. In 2022, Cloudflare purchased its first set of 
offsets as part of that commitment, which included 6,060 
MT CO2e in offsets as part of the REDD+ project in the 
state of Para, Brazil. 


In 2022, Cloudflare supported the planting of an additional 
20,000 trees as part of reforestation projects in Mexico 
and Portugal through its partner One Tree Planted. 
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SDG 14. Life Below Water 


Creating more sustainable workplaces by reducing the In 2022, Cloudflare renovated its corporate headquarters 
use of plastics and leveraging recycled materials in in San Francisco and its London office, and included a 
construction. number of sustainable products designed to support life 


below water, including: 


e Selecting carpet tile flooring made with 100% recycled 
content nylon, including post-consumer nylon from 
discarded fishing nets. In addition, profits from that 
supplier are reinvested in ocean and beach restoration. 


e Installing a 500-gallon rainwater harvesting system that 
provides water for plants inside the building. 


e Installing sound baffles made from post-consumer 
plastic beverage bottles instead of new synthetic fibers. 

e Significantly reducing or eliminating single-use plastics 
like bottled beverages and individually wrapped food 


items. 
SDG 15. Life on Land 
Cloudflare Initiative Key SDG Subtarget Outcomes 
Offsetting our historical emissions and mitigating the Target 15.1 - By 2020, ensure the conservation, restoration In 2022, Cloudflare purchased its first set of offsets as 
carbon impact of malicious bots online by supporting tree and sustainable use of terrestrial and inland freshwater part of its commitment, which included 6,060 MT CO2e in 
planting projects. ecosystems and their services, in particular forests, offsets as part of the REDD+ project in the state of Para, 


wetlands, mountains and drylands, in line with obligations Brazil. 


unaermiernationalagreements: In 2022, Cloudflare supported the planting of an additional 


Target 15.2 - By 2020, promote the implementation of 20,000 trees as part of reforestation projects in Mexico 
sustainable management of all types of forests, halt and Portugal through its partner One Tree Planted. 
deforestation, restore degraded forests and substantially 

increase afforestation and reforestation globally. 
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SDG 16. Peace, Justice and Strong Institutions 


Free Cloudflare services, including protection from 
distributed denial-of-service (DDoS) and other cyber 
attacks, for journalists, artists, humanitarian organizations, 
and civil society groups. 


Target 16.10 - Ensure public access to information and 
protect fundamental freedoms, in accordance with 
national legislation and international agreements. 


Target 16.3 - Promote the rule of law at the national 
and international levels and ensure equal access to 
justice for all. 


Target 16.6 - Develop effective, accountable and 
transparent institutions at all levels. 


Target 16.7 - Ensure responsive, inclusive, participatory 
and representative decision-making at all levels. 


As of November 2022, 2,150 civil society organizations in 
100+ countries were receiving free cyber security services 
through Cloudflare’s Project Galileo. 


Cloudflare partners with 50 civil society organizations 
to review and approve websites included in the Galileo 
program. 


In 2022, Cloudflare expanded Project Galileo by making 
its Zero Trust security products available to program 
participants. 


Protecting state and local governments with free 
protection and reliability services to ensure constituents 
have access to election information and voter registration 
online. 


In 2022, Cloudflare’s Athenian Project protected 366 
state and local government web domains that provide 
information on voter registration, polling places, and final 
election results in 31 US states. 


In 2022, Cloudflare expanded the Athenian Project by 
making its Zero Trust security products available to all 
program participants. 


Protecting candidates in democratic elections from cyber 
attacks. 


Through a partnership with Defending Digital Campaigns, 
Cloudflare protected 56 House campaigns, 15 political 
parties, and 34 Senate campaigns during the 2022 

US midterm elections via the program Cloudflare for 
Campaigns. 


Internet shutdown monitoring and alerts to support human 
rights defenders. 


Cloudflare Radar, a free tool that highlights timely insights, 
threats, and trends, makes it possible for anyone to see 
the inner workings of the Internet. For example, individual 
users and nonprofits use Radar to track outages and gain 
visibility into attacks and traffic trends. Radar is powered 
by aggregated data from the Cloudflare network as well as 
the 1.1.1.1 public DNS resolver. 


In 2022, Cloudflare launched Cloudflare Radar 2.0. This 
upgrade provides a new user experience for uncovering 
insights, more types of data, and improved access to that 
data. 


Radar 2.0 also introduced the Cloudflare Radar Outage 
Center (CROC), which is an archive for large-scale Internet 
outages. With an application programming interface 

(API), civil society groups, journalists, and other impacted 
parties can integrate Cloudflare outage data with their 
own tools and systems. 


Protecting critical infrastructure through 
Project Safekeeping 


Cloudflare Impact Re 


In 2022, Cloudflare launched Project Safekeeping, which 

will allow local and municipal critical infrastructure 

providers in Australia, Germany, Japan, Portugal, and 

the United Kingdom to access Cloudflare’s Zero Trust 65 
security suite for free. 
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CEO letter: UN Global Compact 


December 16, 2022 


H.E. António Guterres 
Secretary-General 
United Nations 

New York, NY 10017 


Mr. Secretary-General, 


As a signatory of the United Nations (UN) Global Compact, Cloudflare remains committed to the 
UN Ten Principles and supporting the advancement of the UN Sustainable Development Goals. 
As part of that commitment, Cloudflare is proud to share our 2022 Communication on Progress 

with the UN Global Compact community and our stakeholders. 


Cloudflare continued to identify ways to leverage our global network to help promote sustainable 
development in 2022. For example, we recently announced that participants in Cloudflare's 
Project Galileo, which includes over 2,150 journalists, humanitarian organizations, and human 
rights defenders in 100+ countries, will now have access to our Zero Trust cyber security services 
for free. We also continued to grow and expand our free cyber security offerings for US state 
and local government election web properties, as well as small critical infrastructure providers in 
the United States, Australia, Germany, Japan, Portugal, and the United Kingdom. Finally, we 
continued to expand programs intended to promote Internet access, including connecting small 
rural networks to the global Internet for free and investing in Internet exchanges in historically 
underserved areas. 


Cloudflare’s participation as a signatory in the UN Global Compact continues to help align our 
corporate responsibility and sustainability initiatives with global development goals, and 
advance our mission to help build a better Internet. I’m proud to share this report on our 
progress. 


Sincerely, 


é 


Matthew Prince 
Co-Founder & CEO 
Cloudflare 
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SBC verification letter 


Cloudflare The verification statement is signed by a Lead Verifier and Peer Reviewer. The Verifier and 
Attn: Patrick Day Peer Reviewer have a combined 30 years of experience in Sustainability Consulting. 

101 Townsend St 

San Francisco, CA 94107 


Sustainable Business Consulting C.-2, K— 


3409 California Ave SW, Suite C 


Seattle, WA 98116 Courtney Blann, Lead Verifier 
(MBA Strategy and Sustainability, MPS Data Analytics) 
July 2, 2022 

July 2, 2022 


Dear Patrick, 


Sustainable Business Consulting (SBC) is pleased to provide an independent and impartial 

verification of Cloudflare’s 2021 Greenhouse Gas (GHG) inventory. SBC has provided 15 RAA 
years of sustainability consulting services and is a Certified B-Corporation and a CDP 

Accredited Provider. SBC used ISO 14064-part 3, 2nd Edition, 2019-04, to conduct a limited 


assurance verification. This letter is to clarify matters set out in the assurance report. It is Ruth Lee, Peer Reviewer 
not an assurance report and is not a substitute for the assurance report. This letter and the (BA, Community, Environment Date & Planning) 
assurance report, including the opinion(s), are solely for Cloudflare’s benefit. SBC consents to July 2, 2022 


the release of this letter but without accepting or assuming any liability on SBC’s part to any 
other party who has access to this letter or assurance report. 


This verified emissions report encompassed Cloudflare’s operations for the 2021 calendar 
year, January through December 2021. Cloudflare reports GHG emissions using an 
operational control approach encompassing global operations including offices and data 
centers. The company assessed emissions for Scope 1, direct emissions, and Scope 2, 
indirect emissions. Scope 3 emissions are excluded. Included emissions are as follows: 


e Scope 1 Emissions: Direct emissions associated with natural gas used to heat offices. 


e Scope 2 Emissions: Indirect emissions associated with purchased electricity in offices and 
co-located data centers. 


The verification confirms the accuracy and completeness of the information provided 
to substantiate Cloudflare’s 2021 GHG emissions reporting. Cloudflare’s total reported 
emissions are 15,622.03 MT CO2e. Verified emissions by scope are as follows: 


e Scope 1: 134 Mt CO2e 
e Scope 2: 15,488.03 MT CO2e (location based) 


SBC has found no evidence that Cloudflare’s 2021 GHG emissions reports or data were 
incorrect, as everything was found to be presented fairly and in accordance with stated 
criteria in line with the GHG Protocol Corporate Accounting and Reporting Standard and the 
ISO 14064 Standard. 


For more information, please visit cloudflare.com/impact. 


